Atrivo Shutdown Hastened Demise of Storm Worm

The infamous Storm worm, which powered a network of thousands of compromised PCs once responsible for sending more than 20 percent of all spam, appears to have died off. Security experts say Storm's death knell was sounded by the recent shutdown of Atrivo, a California based ISP that was home to a number of criminal cyber crime operations, including at least three of the master servers used to control the Storm network.

The Storm network consisted of a complex hierarchy of servers designed to balance the load of sending spam and and to hide the location of the master servers that the Storm worm authors used to operate the network.

Three out of four of those control servers were located at Atrivo, a.k.a. Intercage, said Joe Stewart, a senior security researcher with Atlanta based SecureWorks who helped unlock the secrets of the complex Storm network. The fourth server, he said, operated out of Hosting.ua, an Internet provider based in the Ukraine.

Stewart said the final spam run blasted out by Storm was on Sept. 18.Three days later, Atrivo was forced off the Internet after its sole remaining upstream provider -- Pacific Internet Exchange (PIE) -- decided to stop routing for the troubled ISP. In the weeks leading up to that disconnection, four other upstream providers severed connectivity to Atrivo, following detailed reports from Security Fix and Host Exploit that pointed to a massive amount of spam, malicious software and a host of other cyber criminal operations emanating from it.

Stewart said spam sent by the Storm network had been steadily decreasing throughout 2008, aided in large part by the inclusion of the malware in Microsoft's malicious software removal tool, which has scrubbed Storm from hundreds of thousands of PCs since last fall. Stewart said it's impossible to tell whether the Storm worm was disrupted by the Atrivo shutdown or if the worm's authors pulled the plug themselves and decided to move on. But at least 30,000 systems remain infected with the Storm malware.

"Maybe the Storm worm guys didn't want to cut it off on Sept. 18, but the takedown of Atrivo was probably the last nail in the coffin," he said.

Atrivo's demise also impacted other major spam botnets. Immediately after Atrivo's demise, e-mail security firm MessageLabs reported a precipitous -- if short-lived -- decline in the volume of spam being sent out by other spam-enabling malware, including Cutwail, Srizbi, and MegaD.

The Storm worm authors could decide to restart the network and resume blasting spam through it, but Stewart said he thinks that's unlikely. Experts have estimated spam sent through the Storm network earned millions of dollars for the the Storm worm authors, who rented out capacity on the network to other spammers.

"It's possible these guys just decided they'd made enough money and that it was time to move on," Stewart said.

It's nice to see something like this happen. My only worry is that this may give rise to net vigilantes who are not inclined to behave in the same manner as those who took down Atrivo.

The situation with Atrivo/Intercage was extremely well documented. There was no doubt about what needed to be done there. As long as in the future the keyboard cowboys maintain the same kind of diligence before meting out justice, I'm a happy camper.